DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
Transcript of DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
1/29
EnablingDistributed
SecurityinCyberspaceBuildingaHealthyandResilientCyber
Ecosystemwith
Automated
Collective
Action
March23,2011
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
2/29
March23,2011 2
EnablingDistributedSecurityinCyberspaceBuildingaHealthyandResilientCyberEcosystemwithAutomatedCollective
ActionExecutive
Summary
Likenaturalecosystems,thecyberecosystemcomprisesavarietyofdiverseparticipants
privatefirms,nonprofits,governments,individuals,processes,andcyberdevices(computers,
software,andcommunicationstechnologies)thatinteractformultiplepurposes. Todayin
cyberspace,intelligentadversariesexploitvulnerabilitiesandcreateincidentsthatpropagateat
machinespeedstostealidentities,resources,andadvantage. Therisingvolumeandvirulence
oftheseattackshavethepotentialtodegradeoureconomiccapacityandthreatenbasic
servicesthatunderpinourmodernwayoflife.
Thisdiscussionpaperexplorestheideaofahealthy,resilientandfundamentallymoresecure
cyberecosystemofthefuture,inwhichcyberparticipants,includingcyberdevices,areable
towork
together
in
near
real
time
to
anticipate
and
prevent
cyber
attacks,
limit
the
spread
of
attacksacrossparticipatingdevices,minimizetheconsequencesofattacks,andrecovertoa
trustedstate. Inthisfuturecyberecosystem,securitycapabilitiesarebuiltintocyberdevicesin
awaythatallowspreventiveanddefensivecoursesofactiontobecoordinatedwithinand
amongcommunitiesofdevices. Powerisdistributedamongparticipants,andnearrealtime
coordinationisenabledbycombiningtheinnateandinteroperablecapabilitiesofindividual
deviceswithtrustedinformationexchangesandshared,configurablepolicies.
Toilluminatesuchacyberecosysteminaction,onemightlookattodayspracticeknownas
continuousmonitoring,inwhichsystemmanagersuseavarietyofsoftwareproductsto
automaticallydetectandreportknownsecurityvulnerabilitiesinnetworknodes. Insome
cases,system
managers
further
configure
their
systems
to
automatically
remediate
detected
securitydeficiencies. Toofferananalogy,continuousmonitoringistoahealthycyber
ecosystemassmokedetectorsandsprinklersystemsaretoasmartbuilding.
Attheotherendofsophisticationintheorderlymanagementofacomplexsystem,wedraw
inspirationfromthehumanbodysimmunesystem. Topaintapicturethatmirrorsthebodys
abilitytodefenditselfiscomplex. Itmightincludelayereddefensesandcountermeasuresthat
workintandem;specializedroles;powerfulmethodsforrapidlyidentifyingattackers;surge
capabilities;andtheabilitytolearnandrapidlyadapt. Acompanionanalogymaybemadeto
thepublichealthsystemandtheCentersforDiseaseControlandPrevention(CDC). Here,cyber
equivalentfunctionsmightincludethreatandincidentwatch,datadissemination,threat
analysis,intervention
recommendations,
and
coordination
of
preventive
actions.
Automationisoneofthreeinterdependentbuildingblocksofahealthycyberecosystem,along
withinteroperabilityandauthentication. Automationcanincreasespeedofaction,optimize
decisionmaking,andeaseadoptionofnewsecuritysolutions. Ahealthycyberecosystem
mightemployanautomationstrategyoffixed,localdefensessupportedbymobileandglobal
defensesatmultiplelevels. Suchastrategycouldenablethecyberecosystemtosustainitself
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
3/29
March23,2011 3
andsupportedmissionswhilefightingthroughattacks. Further,itcouldenabletheecosystem
tocontinuouslystrengthenitselfagainstthecyberequivalentofautoimmunedisorders.
Interoperabilitycanbroadenandstrengthencollaboration,createnewintelligence,hastenand
spreadlearning,andimprovesituationalawareness. Thispaperpositsthreetypesof
interoperabilitysemantic(i.e.,sharedlexiconbasedoncommonunderstanding),technical,
andpolicy
as
fundamental
to
integrating
disparate
cyber
participants
into
acomprehensive
cyberdefensesystem. Itexamineshowthecybersecuritycommunityhasachievedsomeearly
successesbyexplicitlyseparatingthemanagementofsecurityinformationfromthe
managementofsecurityfunctionsinanapproachcalledsecuritycontentautomation. Such
successesinclude:developingnamingconventionsandsharedlistsandcatalogsofthe
fundamentalelementsthatweidentifyhereastheecosystem;creatingandusingmachine
readablelanguagesandformatsforexpressingsecuritypoliciesorencodingsecurity
transactions;anddevelopingandusingknowledgerepositoriesforbestpractices,benchmarks,
profiles,standards,templates,checklists,tools,guidelines,rulesandprinciples,amongothers.
Thepaperalsolooksatsomechallengesassociatedwithexpandingthisapproachtoensurea
widelydistributed,
automated,
collective
defense.
Authenticationcanimprovetrustinwaysthatenhanceprivacyanddecisionmaking. Itis
integraltomanycapabilitiesbeyondcyberdefense,andthepaperlookstotheemerging
NationalStrategyforTrustedIdentitiesinCyberspace(NSTIC),detailedbelow,tobuildashared
foundation. Thepapercallsforidentificationandauthenticationtechnologiesthatdeliver
acrossfiveoperationalobjectives:security,affordability,easeofuseandadministration,
scalability,andinteroperability. Additionally,thepapercallsforconsumerguidesthatrate
technologiesacrossallfiveobjectivesandassistsystemdevelopersandownersinmaking
phasedimprovementsandselections. Forautomatedcyberdefense,itcallsforstrong
standardsbaseddeviceauthentication,includingforsoftware,handhelddevices,andsmall,
oftenwireless,
devices
composing
massively
scalable
grids.
Thepaperalsodrawsoncurrentresearchonnetworkenabledenterprisesthatisrecasting
traditionalnotionsofcommandandcontrolinthedirectionoffocusandconvergence. Focus
providesthecontextanddefinesthepurposesofanendeavor,butisagnosticregardingwho
mightbeinchargeorparticularlinesofauthority. Convergencereferstothegoalseeking
processthatguidesactionsandeffects,butrecognizesthatcontrolworksinanunconventional
mannerinhighlydistributedsystems. Thepaperpresentsafivelevelmaturitymodelfor
ecosystemfocusandconvergencethatisassociatedwithincreasingagilityandprovidesan
approachfordefininghowtoachieveandemploythesevariouslevels. Ecosystemmaturityis
furtherexploredthroughadiscussionofhealthyattributeseightfortheecosystemand
eighteenfor
participants
and
exchanges.
Thepaperconcludeswithabriefdiscussionofincentivesandrecommendationsfortheway
ahead. Itpositsthattheslowadoptionofavailablebestpracticesandtechnologiesintheface
ofincreasingcyberattacksindicatesanimbalanceofincentivesandproposesthatbetterand
morewidelydisseminatedaggregatedandanonymizedinformationaboutthefrequencyand
actualharmofcyberattacksisneeded. Despitethemanyopenquestionsremaining,thefield
isripeforplanningandaction. Feedbackonthispaperandcommentonallaspectsofthe
mailto:[email protected]:[email protected] -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
4/29
March23,2011 4
TableofContentsExecutiveSummary............................................................................................................................... 2
BackgroundandPurpose...................................................................................................................... 5
TheCaseforaMoreSecureCyberEcosystem ..................................................................................... 5
BuildingBlocksforaHealthyCyberEcosystem.................................................................................... 8
BuildingBlock1: Automation........................................................................................................... 8
BuildingBlock2: Interoperability................................................................................................... 11
BuildingBlock3: Authentication.................................................................................................... 17
KeyConcepts....................................................................................................................... ................ 18
Focus,Convergence,
and
Maturity................................................................................................. 18
AttributesofaHealthyCyberEcosystem ....................................................................................... 22
AttributesofHealthyParticipants .................................................................................................. 24
IncentivesandAdoption..................................................................................................................... 26
WayAhead.......................................................................................................................... ................ 27
Glossary....................................................................................................................... ........................ 28
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
5/29
March23,2011 5
BackgroundandPurposeThispaperwaspreparedunderthedirectionofPhilipReitinger,DeputyUnderSecretaryforthe
NationalProtectionandProgramsDirectorate(NPPD),U.S.DepartmentofHomelandSecurity,
withsupportfromtheNPPDCyber+StrategyStaff,thefederallyfundedHomelandSecurity
SystemsEngineeringandDevelopmentInstitute(HSSEDI),andtheNPPDOfficeof
CybersecurityandCommunications(CS&C). In2010,NPPDsponsoredagovernmentworkshop
todiscussadraftofthispaper. Recommendationsfromthatworkshophavebeen
incorporated.
Thispaperexploresafutureahealthycyberecosystemwherecyberdevicescollaboratein
nearrealtimeintheirowndefense. Inthisfuture,cyberdeviceshaveinnatecapabilitiesthat
enable
them
to
work
together
to
anticipate
and
prevent
cyber
attacks,
limit
the
spread
of
attacksacrossparticipatingdevices,minimizetheconsequencesofattacks,andrecovertoa
trustedstate.
Thispaperpresentsthreebuildingblocksasfoundationalforahealthycyberecosystem:
automation,interoperability,andauthentication. Thepaperthenconsidershowthesebuilding
blockscontributetoecosystemmaturityandexploresincentivesforcreatingsuchasystem. It
concludeswiththoughtsonthewayahead.
Theenvisionedendstateisfocusedspecificallyoncapabilitiesthatcanbeachievedinthenear
andmidtermbyutilizingstandardsbasedsoftwareandinformationtostrengthenselfdefense
throughautomatedcollectiveaction.Thispaperismeanttoprovokediscussionandfurther
explorationof
the
topic.
Thispaperisavailableonlineathttp://www.dhs.gov/xlibrary/assets/nppd-healthy-cyber-ecosystem.pdf.
Commentsandfeedbackarewelcome,[email protected]. You
mayalsocontactcyberfeedback@dhs.govifyouareinterestedinhostingadiscussiononthis
topic.
TheCaseforaMoreSecureCyberEcosystemCyberattackshavebecomemorefrequent,morewidespread,andmoreconsequential.
Forecastsfor2011andbeyondprojectcontinuedincreasesinboththevolumeandvirulenceof
cyberattacks.
These
mostly
unattributed
incidents
reduce
the
availability
of
this
vital
medium
forinformationexchangeandimpairtheabilityoftheinformationenvironmenttobeamission
multiplierandsupportmoreeffectiveandefficientbusinessprocesses. Needlesstosay,an
insecureenvironmentalsoweakenstheprivacyofcyberecosystemparticipants.
http://www.dhs.gov/xlibrary/assets/nppd-healthy-cyber-ecosystem.pdfmailto:[email protected]:[email protected]://www.dhs.gov/xlibrary/assets/nppd-healthy-cyber-ecosystem.pdf -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
6/29
Atthesametime,theNationissignificantly
expandingthecybercapabilitiesthatpower
itseconomyandsupportitshomelandand
nationalsecurity. Thetransformationsbeing
undertakeninthefinancial,healthcare,
energy,transportation,
homeland
security,
defense,andintelligencesectorsare
predicatedonanexpectationthatcyber
devices(computers,software,and
communicationstechnologies),
communicationsnetworks,andembedded
controlsystemsforcriticalinfrastructureswill
beavailableandperformasexpected. (As
examples,seeFigures1and2forprofilesof
TheNextGenerationAirTransportation
SystemandSmartGrid.)
Figure1: NextGenerationAirTransportationSystem
(NextGen)
NextGenisacomprehensiveoverhaulofU.S.nationalairspace
systemfromairtrafficcontroltoairtrafficmanagementand
fromgroundbasedtosatellitebasedcapabilities. Itis
employingcontinuous
roll
out
of
improvements
and
upgrades
tomakeairtravelmoreconvenientanddependable,more
economical,andmoreenvironmentallyfriendly,while
ensuringflightsareassafe,secureandhasslefreeaspossible.
NextGenoffersadvantagestoallstakeholders:consumers,
serviceproviders,neighbors(e.g.,noisereduction),andthe
environment.
TheNextGenportfolioisorganizedintosevensolutionsets,
eachfocusingonaseriesofrelatedoperationalchangesthat
togetherwillbringaboutthemidtermsystem.
TheNextGenInformationSystemsSecurityArchitecture
addresseshowto:
Keepthe
Bad
Stuff
Out
(external
boundary
protectionandcertifiedsoftwaremanagement
MakeSureYouKnowToWhomYouAreTalking(identityandkeymanagement)
IfTheyGetIn,MakeSureYouFindThemandDealWiththeProblem(intrusiondetectionandresponse)
MinimizeDamageOnceIn;DontLetitSpread(internalpolicyenforcement)
http://www.faa.gov/nextgen/
Cyberdefensetodayisfoundedonadhoc,
manualprocesses;yetcyberattacksoften
followawellknown,systematicescalation
pathbeginningwithreconnaissanceactivities
andextendingtogainingentry,establishing
persistence,settingupexternal
communicationspathways,andconducting
attackoperations. Ifcyberdevices
communicatedinnearrealtimewitheach
otheraboutattacks,andtookcoordinated
securityhardeningresponseactions
consistentwithadefinedpolicyframework,
thencriticalbusiness,missionandprivacy
objectivescouldbebettersupported,and
manysecurityriskscouldbemanaged
proactivelyanddynamically. Automated
defensescouldbeeffectiveattheearliest,
leastcostlystageofthelifecycleaswellasat
thelaterstagesofanattackwhenmalicious
codeandotherattackelementspropagateat
machinespeed.
These
defenses
could
be
effectiveagainstallthreatsincludingfinancial
fraud,identitytheft,andadvanced,persistent
threatsthatexploitunauthorizedaccessto
intellectualpropertyandsensitive
information.
Figure2:SmartGrid
SmartGridcomprisestheelectrictransmissionand
distributionsystemsandmyriadsoflocalareanetworksthat
usedistributedenergyresourcestoservelocalloadsand/orto
meetspecificapplicationrequirementsforremotepower,
villageordistrictpower,premiumpower,andcriticalloads
protection.
Electricgridstakeholdersrepresentingutilities,technology
providers,researchers,policymakers,andconsumershave
workedtogethertodefinethefunctionsofasmartgrid,and
theyhaveidentifiedthefollowingcharacteristicsor
performancefeatures:
Selfhealingfrompowerdisturbanceevents
Enablingactive
participation
by
consumers
in
demand
response
Operatingresilientlyagainstphysicalandcyberattack
Providingpowerqualityfor21stcenturyneeds
Accommodatingallgenerationandstorageoptions
Enablingnewproducts,services,andmarkets
Optimizingassetsandoperatingefficiently
http://www.oe.energy.gov/smartgrid.htmInJanuary2003,theSlammerworminfected
some247,000Internethosts. Over90
March23,2011 6
http://www.faa.gov/nextgen/http://www.faa.gov/nextgen/http://www.oe.energy.gov/smartgrid.htmhttp://www.oe.energy.gov/smartgrid.htmhttp://www.faa.gov/nextgen/http://www.faa.gov/nextgen/ -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
7/29
March23,2011 7
percentoftheinfectionsoccurredwithin10minutesofrelease,andthewormachieveditsfull
scanningrate(over55millionscanspersecond)inapproximately3minutes. WhileSlammer
didnotcarryamaliciouspayload,thevolumeoftrafficitproducedswampednetworks,causing
disconnectedATMs(over13,000reportedbyasinglebank),cancelledairlineflights,and
disruptedelectionsand911services. Cleanupcostsworldwidewereestimatedatbetween
$750million
and
$1.2
billion
1 2
.
Recently,more
highly
sophisticated
and
targeted
attacks
have
beenregularlyreported.
Imagineafuturewherecyberdeviceshaveaninnateabilitytocorrelateoperational
informationandtodeducethatadeviceintheirdomainhasbeeninfectedwithpossible
malware. Oneindicatormightbeanunusuallyhighnumberofrandomconnectionrequests
andacorrespondinghighfailurerate. Thescenario:
Ahealthydevicedetectsaninfectioninanotherdevice. (Adiscussionofhealthy
participantspersons,devices,andprocessesisprovidedlaterin thispaper);
Thedevicestopsreceivingandforwardingmessagesfromtheinfectedsourceand
informssurroundinghealthydevicesabouttheidentityofthesuspectedthreat;
Healthydevicesreceivingthethreatalertemployathresholddefensetominimizethe
riskoffalsealarmsthatis,theydeferactionuntilalertsarereceivedfromsomepre
determinednumberofindependentdevices;
Thealertthresholdisreached,andparticipatinghealthydevicesstopreceivingand
forwardingmessagesfromtheinfecteddevice,effectivelyneutralizingitsabilityto
spreadtheinfection;andfinally
Communicationsarereestablishedwhentheinfecteddevicesarecleaned.
Somesimulations3
4indicatethatabout30to35percentofdeviceswouldneedtocooperatein
orderforsuchacourseofactiontowork. Thesenumbersareimportant,becausetheyindicate
thatsuccess
is
not
dependent
on
the
participation
of
all
or
even
amajority
of
devices;
therefore,largescaleinfrastructuremodificationisnotrequiredtomaketheecosystem
fundamentallymoresecure.5
Thedefensespresentinahealthycyberecosystemcouldinterveneatessentiallyanypoint
duringcomplexattacks. Forexample,analertcouldcomefromtrustedandauthenticated
sourcessuchasotherdevicesinsidetheinfrastructurethatdetectanomalousbehavior,
anothercompanyorentityunderattack,amonitoringservice,ortheUnitedStatesComputer
1 SeanP.Gorman,RajendraG.Kulkarni,LarieA.Schintler,andRogerR.Stough,LeastEffortStrategiesfor
Cybersecurity,http://arxiv.org/ftp/cond
mat/papers/0306/0306002.pdf
2 AnilAnanthaswamy,Internetimmunitysystempromisestodefangwormattacks,
http://www.newscientist.com/article/mj20327215.000internetimmunesystemcouldblockviruses.html3 Gormanetal
4 Ananthaswamy
5 SeeUsingExternalSecurityMonitorstoSecureBGP,PatrickReynolds,OliverKennedy,EminGunSirer,andFred.
B.Schneiderathttp://www.cs.cornell.edu/fbs/publications/NexusBGPtr.pdfforanotherindicatorthat
ecosystemhealthcouldbeimprovedwithmarginalimpacttoexistingdevices,protocols,andoperations.
Reynoldsetalsaythatdeployinganexternalsecuritymonitortoarandom10%ofautonomoussystemsinthe
Internetsufficestoguaranteesecurityfor80%ofInternetrouteswherebothendpointsaremonitored.
http://arxiv.org/ftp/cond-mat/papers/0306/0306002.pdfhttp://arxiv.org/ftp/cond-mat/papers/0306/0306002.pdfhttp://arxiv.org/ftp/cond-mat/papers/0306/0306002.pdfhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://www.cs.cornell.edu/fbs/publications/NexusBGPtr.pdfhttp://www.cs.cornell.edu/fbs/publications/NexusBGPtr.pdfhttp://www.newscientist.com/article/mj20327215.000-internet-immune-system-could-block-viruses.htmlhttp://arxiv.org/ftp/cond-mat/papers/0306/0306002.pdf -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
8/29
March23,2011 8
EmergencyReadinessTeam(USCERT). Iffromanexternalsource,thealertcouldcomedirectly
intoanentityssystemsandinaformatsuchaseXtendedMarkupLanguage(XML)thatcyber
devicescouldread. Inresponsetothealert,theinfrastructurecouldautomaticallycheckitself
thennotifyofficialsoftheexactlocationandextentofcompromiseorofsusceptibilitytoa
potentialattack. Inresponse,adigitalpolicy(i.e.,machineinstructions)couldbedeployedto
takeinfected
devices
offline,
change
the
configuration
of
healthy
devices
to
harden
them
againstpotentialattack,blocktheincomingmalware,orblockoutboundtraffictothereceiving
site(s). Immediatelyupondetectionofacompromise,adigitalpolicycouldbedeployedtoalert
othersofthesituationandbeginsharingdiscoveriesinaninformationexchangeformatthat
couldbeauthenticatedandautomaticallyfedintocyberdevicesinothercyberinfrastructures.
Ahealthycyberecosystemwouldinteroperatebroadly,collaborateeffectivelyinadistributed
environment,respondwithagility,andrecoverrapidly. Witharichwebofsecurity
partnerships,sharedstrategies,preapprovedandprepositioneddigitalpolicies,interoperable
informationexchanges,andhealthyparticipantspersons,devices,andprocessesa
healthycyberecosystemcoulddefendagainstafullspectrumofknownandemergingthreats,
includingattacks
against
the
supply
chain,
remote
network
based
attacks,
proximate
or
physical
attacks,andinsiderattacks; improvethereliabilityandresilienceofcriticalinfrastructures;and
betterassureprivacy,businessprocesses,andmissions.
BuildingBlocksforaHealthyCyberEcosystemBuildingBlock1:AutomationAutomatedCoursesofAction(ACOAs)arestrategiesthatincorporatedecisionsmadeand
actionstakeninresponsetocybersituations. Automationfreeshumanstodowhattheydo
wellthink,askquestions,andmakejudgmentsaboutcomplexsituations. Automationallows
thespeed
of
response
to
approach
the
speed
of
attack,
rather
than
relying
on
human
responses
toattacksthatareoccurringatmachinespeed. Withtheabilitytoexecuteatmachinespeed,
defenderscouldgetinsidetheturningcirclesordecisioncyclesofattackers. Further,
automationcouldmakeiteasiertoadoptandadaptneworprovensecuritysolutions.
OnepotentialinspirationforACOAsisthehumanimmunesystem,illustratedinFigure3.6
6 SeeImmunology,diversity,andhomeostasis:thepastandfutureofbiologicallyinspiredcomputerdefenses,
AnilSomayaji,JournalInformationSecurityTech.,Vol12,Issue4.September2007,
http://portal.acm.org/beta/citation.cfm?id=1324630,forausefulsurveyofthisfield.
http://portal.acm.org/beta/citation.cfm?id=1324630http://portal.acm.org/beta/citation.cfm?id=1324630 -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
9/29
Figure3: OverviewofHumanImmuneSystem
Skin
1. Encapsulatingphysical
barrier
2. Detectionandearlywarning
(touch)
3. Antibacterial andantifungal
properties(e.g.,acids)
EntryPoints(e.g.,eyes,mouth,nose)
1. Trapsandfilters(e.g.,mucus,
mastcells)
2. Detectionandearlywarning
(smell,taste)
3. Antipathogenicproperties
(e.g.,tears,saliva)
InternalSystem(defendersandsignaling)1. Defendersarespecialists: patrollers,killers,
cleaners,orhelpers
2. Allcells
that
are
part
of
the
body
(self)
present
anidentifierthatisknowntodefenders
3. Patrollersdetectandcounterinvaders cellsthatdontpresentaknowngoodidentifieror
thathaveaknownbadidentifier(antigen)
4. Countermeasuresmaydisable toxicchemicalaction,preventmovementacrosscellwalls,or
destroytheinvader
5. Helperssoundthealertandactivaterapid
productionofmorepatrollersandkillers
6. Helpersguidekillersandcleanerstothedetectionsite
7. Patrollers,killers,
and
cleaners
also
flood
the
bloodstream,lookingforanyotherantigens
8. Helpersmayactivatesupplementarykill
mechanisms(e.g.fever)
9. Killerscauseinvadersandinfectedcellstodie
andcleanersengulfthem
10.Specializedpatrollersandkillersthatare
primedwiththeinvadersidentifierare
producedtorememberandprotectagainstfutureinvasions
1
2
3
Theinternalsystemisactuallytwointerrelatedsystems:onethatisstationaryandlocaltocells
(cellmediated)
and
one
that
is
global
to
the
entire
body,
moving
throughout
it
via
the
bloodstreamandlymphsystems(humoral). Eachoftheseinterrelatedsystemshasitsownlocus
forsustainment(e.g.,thymus,bonemarrow)andsophisticatedmechanismsforsynchronized
activity.7
8Ahealthycyberecosystemmightemployanautomationstrategyoffixedlocaldefenses
supportedbymobileandglobaldefensesatmultiplelevels. Suchastrategycouldenablethe
cyberecosystemtosustainitselfandsupportedmissionswhilefightingthroughattacks.
Furtheritcouldenabletheecosystemtocontinuouslystrengthenitselfagainstthecyber
equivalentofautoimmunedisorders. Forexample,withinanorganization,cyberdevicesthat
directlyprovideenduser,mission,orbusinessfunctionalitymightmaintainahighawarenessof
userbehavior,
expectations,
and
service
level
agreements,
be
tuned
to
sense
and
respond
to
usersituations,signallocaloruserlevelstatustoorganizationaldevices,andcorrelate
discoveriesandsynchronizeresponseswithorganizationaldevices.
7HumanPhysiology/TheImmuneSystem,http://en.wikibooks.org/wiki/Human_Physiology/The_Immune_System
8HowYourImmuneSystemWorks,http://health.howstuffworks.com/immunesystem.htm
March23,2011 9
http://en.wikibooks.org/wiki/Human_Physiology/The_Immune_Systemhttp://en.wikibooks.org/wiki/Human_Physiology/The_Immune_Systemhttp://health.howstuffworks.com/immune-system.htmhttp://health.howstuffworks.com/immune-system.htmhttp://health.howstuffworks.com/immune-system.htmhttp://health.howstuffworks.com/immune-system.htmhttp://health.howstuffworks.com/immune-system.htmhttp://en.wikibooks.org/wiki/Human_Physiology/The_Immune_System -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
10/29
March23,2011 10
Cyberdevicesthatprovideormanageorganizationwideconnectivityandservicesmightbe
tunedtosenseandrespondtoorganizationalsituations,signalorganizationalstatustouser
leveldevices,correlatediscoveriesandsynchronizeresponseswithuserleveldevices,and
providesupportoraugmentationtousersituations. Enforcementoforganizationalpolicies
suchasprivacyprotectioncouldbesynchronizedacrossuserandorganizationallevels.
Inaddition
to
the
ability
to
signal
and
synchronize
across
levels,
each
level
could
have
internal
synchronizationandanalysiscapabilities. Forexample,alldevicessupportingusers,orclasses
ofusers,couldshareafocusandconvergenceapproachthatwouldincludesecuritypolicies
andpooledanalyticresources,ascouldalldevicessupportingorganizationalservicesorclasses
ofservices. Inturn,anorganizationcouldshareinformationandcoordinateactivitiesor
synchronizeACOAswithalargerbusiness,political,orgeographicdomain,orwiththeworld
widecyberenvironment.
Cyberdevicesendowedwithstrongfeedforwardandfeedbacksignalingmechanismsthat
assumeandcanaccommodatecommunicationsfailuresandoperatinginanenvironmentwith
trustedendtoendidentificationandauthenticationofallparticipantswouldenjoya
heightenedability
to
observe,
record,
and
share
what
is
happening
to
and
around
them.
In
turn,theycould:
Proactivelytakepreventivemeasures;
Rejectrequeststhatdonotfittheprofileofwhatisgood,apriori,forthemselvesorthe
largercyberenvironment;
Sensemaliciousactorsandautonomouslyrefinetheevidencecapturedfordiagnosisor
insupportofthedevelopmentoffuturepreventionmethods;and
Autonomouslyenactdefensiveresponsesorevenbuildsuchresponsesinrealtime.9
Acompanion
source
of
inspiration
for
ACOAs
comes
from
the
public
health
sector,
although
for
manyprocessesinthisdomain,automationissomedistanceaway. Publichealthservices
conductpopulationhealthsurveillanceandreacttothreatstotheoverallhealthof
communities. ThestatedmissionoftheCentersforDiseasePreventionandControl(CDC)is:
tocollaboratetocreatetheexpertise,information,andtoolsthatpeopleandcommunities
needtoprotecttheirhealththroughhealthpromotion,preventionofdisease,injuryand
disability,andpreparednessfornewhealththreats.10
ThecyberequivalentofaCDCmight
performfunctionssuchasthefollowing:
Watch:Gatherdataoncyberthreatsandcybersecurityoutbreaksthatareanalogousto
theinformationaboutdiseasesreportedbyhealthcareproviders.
Datadissemination:Providedataaboutthespreadanddangerofthreatstohelp
communitiesandorganizationsplanprotectivemeasuresandresponses.
9 CyberLeapYearSummitCoChairsReport,
http://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_CoChairs_Report.pdf10
TheCDCMission,http://www.cdc.gov/about/organization/mission.htm
http://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_Co-Chairs_Report.pdfhttp://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_Co-Chairs_Report.pdfhttp://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_Co-Chairs_Report.pdfhttp://www.cdc.gov/about/organization/mission.htmhttp://www.cdc.gov/about/organization/mission.htmhttp://www.cdc.gov/about/organization/mission.htmhttp://www.cyber.st.dhs.gov/docs/National_Cyber_Leap_Year_Summit_2009_Co-Chairs_Report.pdf -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
11/29
March23,2011 11
Cyberthreatanalysis:Investigateanddiagnosecyberthreatsinthecommunity. Where
possible,verifyoutbreaksofnewcyberthreatsandunderstandthecauses,extentand
impactoftheseoutbreaks.
Interventionanalysisandrecommendations:Provideacost/benefitanalysisofpotential
interventionsandmakerecommendations.
Coordinationofpreventiveactions:Coordinateresponsestrategiesandtheirexecution,
forexample,theequivalentofquarantiningandvaccinationstrategiesorcyber
patrollingforfraud.11
BuildingBlock2: InteroperabilityInteroperabilityallowscybercommunitiestobedefinedbypoliciesratherthanbytechnical
constraintsandpermitscyberparticipantstocollaborateseamlesslyanddynamicallyin
automatedcommunitydefense. Interoperabilityenablescommonoperationalpicturesand
sharedsituationalawarenesstoemergeanddisseminaterapidly. Thecreationofnewkindsof
intelligence(such
as
fused
sensor
inputs),
coupled
with
rapid
learning
at
both
the
machine
and
thehumanlevels,couldfundamentallychangetheecosystem.
Unfortunately,withincybersecuritytoday,manyavailabledevices(e.g.,firewalls,fileintegrity
checkers,virusscanners,intrusiondetectionsystems,antimalwaresoftware)operate
independentlyandneitherexchangedatanorhaveconsistentsecuritypolicies. Eachofthem
mayhavebeendevelopedbyadifferentvendor,perhapsevencompetitors,withoutadherence
tointernationallyacceptedopenstandards. Inothercases,thestandardsarenotyetmature.
Thus,intodaysecosystem,collaborationispossiblebutdifficult. Wemustreachapointwhere
theonlybarrierstocollaborationacrossdevices,people,andorganizationsarethosewe
choosetoimposebypolicy,notthosethatareimposedonusbytechnology.
Threetypes
of
interoperability12
are
fundamental
to
integrating
the
many
disparate
participantsintoacomprehensivecyberdefensesystemthatcancreatenewintelligenceand
makeandimplementdecisionsatmachinespeed:
SemanticInteroperability.Theabilityofeachsendingpartytocommunicatedataand
havereceivingpartiesunderstandthemessageinthesenseintendedbythesending
party.
11 AnapproachthatisalsoinspiredbypublichealthmodelsisdescribedinCollectiveDefense:ApplyingPublic
healthModelstotheInternet
http://www.microsoft.com/mscorp/twc/endtoendtrust/vision/internethealth.aspx. Inthisapproach,accessto
otheronlineresourcesiscontingentuponthehealthofadevice. Devicesseekingaccessmustbeableto
demonstrategoodhealththroughatrustedhealthcertificate. Ifthedeviceshealthlevelisacceptable,then
accessisgranted. Ifasecurityconcernisidentified,thentheentitybeingpetitionedforaccess(anInternet
ServiceProvider,forexample)couldprovideanoticethatassiststheuserinaddressingthesecurityconcern,
renderadviceorassistance,ordirecttheusertoresourcesforremediation.12
NationalStrategyforTrustedIdentitiesinCyberspace(NSTIC)
http://www.microsoft.com/mscorp/twc/endtoendtrust/vision/internethealth.aspxhttp://www.microsoft.com/mscorp/twc/endtoendtrust/vision/internethealth.aspx -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
12/29
March23,2011 12
TechnicalInteroperability.Theabilityfordifferenttechnologiestocommunicateand
exchangedatabaseduponwelldefinedandwidelyadoptedinterfacestandards.
PolicyInteroperability.Commonbusinessprocessesrelatedtothetransmission,
receipt,andacceptanceofdataamongparticipants.
Withincybersecurity, all
three
types
of
interoperability
are
being
enabled
through
an
approach
thathasbeenrefinedoverthepastdecadebymanyinindustry,academia,andgovernment. It
isaninformationorientedapproach,generallyreferredtoas[cyber]securitycontent
automationandcomprisesthefollowingelements.13
Enumerations. Thesearelistsorcatalogsofthefundamentalentitiesofcybersecurity,
forexample,cyberdevicesandsoftwareitems(CPE);deviceandsoftware
configurations(CCE);publiclyknownweaknessesinarchitecture,design,orcode(CWE);
publiclyknownflawsorvulnerabilities(CVE);orpubliclyknownattackpatterns(CAPEC).
Enumerationsenablesemanticinteroperability.
LanguagesandFormats. Theseincorporateenumerationsandsupportthecreationof
machinereadable
security
state
assertions,
assessment
results,
audit
logs,
messages,
andreports. Examplesincludepatternsassociatedwithassets,configurations,
vulnerabilities,andsoftwarepatches(XCCDF&OVAL);securityannouncements(CAIF),
events(CEE),malware(MAEC);riskassociatedwithvulnerability(CVSS),sensor
collectionandcorrelation(ARF),andUSCERTsecuritybulletinsandincidentreports
(NIEM). Languagesandformatsenabletechnicalinteroperability.
KnowledgeRepositories. Thesecontainabroadcollectionofbestpractices,
benchmarks,profiles,standards,templates,checklists,tools,guidelines,rules,and
principles,amongothers.Inmanyrespects,knowledgerepositoriesserveasthe
cybersecuritycommunitymemoryandenablepolicyinteroperability. Examples
includeInformationAssuranceChecklistshousedontheNationalChecklistProgramwebsite(http://checklists.nist.gov/),DepartmentofDefenseSecurityTechnical
ImplementationGuides(STIGs),andvendorguides."
Figure4presentsahistoryofU.S.Governmentsupportedsecuritycontentautomationefforts
alongwithprojectedachievementsthrough2014. Projectionsarebasedoncurrentresourcing
andtheinterestsofalargelyvolunteerandselfdirectedcommunity. Figure4alsoillustrates
howstandardsbuilduponthemselvestoexpandfunctionalityovertime(e.g.,theexpansionof
configurationmanagementcapabilitiesfromdesktopstonetworks).
13SeetheGlossaryattheendofthispaperforthefullnameofthevariousnamedstandards.
http://checklists.nist.gov/http://checklists.nist.gov/ -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
13/29
Figure4. HistoryandNearTermForecastofCyberSecurityAutomationStandardsDevelopmentA
March23,2011
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
14/29
Anotherwaytoapproachtheevolutionofcybersecuritycontentautomationisthroughastrategic
considerationofwhatisneededandpossible. Figure5presentsanarrayofsecurityfunctionsthat
canbetransformedbycontentautomationandexchange. Standardssupportingthefirstwave
areextantanddocumentedinNISTSP800126,TheTechnicalSpecificationfortheSecurity
ContentAutomationProtocol14
. Manyofthestandardsnecessarytosupportthesecondwaveare
indevelopment
now,
and
some
of
the
challenges
associated
with
bridging
the
two
waves
are
discussedlaterinthissection. Thethirdwaveidentifiesalogicalprogression. Aswiththe
historicaltransitionfromecommercetoebusiness,succeedingwavesbuildincapabilityand
becomemorestrategicinfocus.
Figure5:StrategicConsiderationofCyberSecurityContentAutomation
VulnerabilityAssessment
ConfigurationAssessment
ComplianceManagement
AssetInventory
MalwareAnalysis
StructuredThreat
Information
IncidentReporting
EnterpriseReporting
EventManagement
Remediation
NetworkDevice
Assessment
RemoteAssessment
SoftwareAssurance
Collaborativethreatintelligence
SensingandWarning
Response
Forensicsand
DamageAssessment
Recovery
ReconstitutionModelingandSimulation
SupplyChainAssurance
Architecture
Design
Engineering
Testing,attestation,
assuranceand
Thesuccessofanysinglefunctionandtheintegrationoffunctionswithinandacrosswaves
dependonsemantic,technical,andpolicyinteroperability. Thesethreetypesofinteroperability
arethemselvesinterdependent,andtheymatureaseachadaptstochangesintheother. Some
levelofsemanticinteroperabilitymustbeachievedandsomevisionofpolicy(orprocess)
interoperabilityisnecessaryinordertosuccessfullydevelopandemploytechnicalinteroperability.
AsimpleexamplewouldbethepublicationofUSCERTbulletinsinXMLblobs. Thetechnical
standards
must
be
underpinned
by
sender/receiver
agreement
on
the
meaning
of
the
content
and
byagreementonhowtheXMLstructuredbulletinsaretobereceivedandprocessed. Inturn,
achievementsintechnicalinteroperabilityenableadvancesinsemanticandpolicyinteroperability,
andtheseadvancestriggerfurtheradvancesintechnicalinteroperability.
14NISTSP800126Rev1,DRAFTTheTechnicalSpecificationfortheSecurityContentAutomationProtocol(SCAP):
SCAPVersion1.1,January11,2011,http://csrc.nist.gov/publications/PubsSPs.html
March23,2011 14
http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
15/29
Advancesinsemanticandpolicyinteroperabilityalmostalwaysstartwithpersonsandprogressto
devices. Further,advancesininteroperabilityhaveshorttermadvantages. Forexample,thefirst
waveofsecuritycontentautomationisenablingtherecentfederalcommitmenttocontinuous
monitoring,andprogressinthesecondwave,combinedwithgainsachievedduringthefirstwave,
isenablingXMLbasedincidentreportingtotheUSCERT.
Thethree
waves
of
automated
security
functions
depicted
in
Figure
5can
be
summarized
as
progressalongthreeaxes:
Figure6: AxesofProgress
Axis Progression
Space Fromhoststonetworksandapplications
Time Fromstatictodynamic
Capability Fromconfigurationtointegratedpolicyandaudit
Athirdwaytoexaminecybersecuritycontentautomationisthroughthegeneralizedfunctional
modelinusebythestandardscommunity. AsillustratedinFigure7below,thesecurityfunctions
containedinthismodelgenerallyrepresentthefirstwaveplusaportionofthesecondwave.
Securitycontentautomationstandardsthatcanfacilitatetheexchangeofinformationwithand
amongfunctionsareannotatedadjacenttoeachfunction,input,oroutput.
March23,2011 15
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
16/29
Figure7: GeneralizedFunctionalModelInformingStandardsDevelopment
Thismodelislifecycleorientedandenterprise ororganizationfocused. Capabilitiesare
expectedtobuildononeanother(fromlefttoright). Eachfunction(e.g.,assetinventory,
configurationguidance
analysis,
vulnerability
analysis)
is
viewed
as
ablack
box
and
assumed
to
beprovidedbycurrentorfuturecommercialproducts. Integrationacrossfunctionsisalso
assumed. ThecurrentmodeldoesnotaddressformulationordynamicevolutionofACOAs;
however,itdoesprovideareasonablefoundationforACOAexecution.
Ingeneral,thefunctionscanbeorganizedintopreincidentdetection(assetinventory,
configurationguidanceanalysis,andvulnerabilityanalysisplusthreatanalysis)andpost
incidentdetection(intrusiondetectionandincidentmanagementplusthreatanalysis). This
organizingconstructalignswiththewavespresentedinFigure5above. Asillustrated,the
structuringofthreatinformationisasecondwaveactivity. Theefforttostandardizethreat
alertsandautomatethreatanalysismayprovemorecomplexthanprevioussecuritycontent
automationefforts
because
standardization
must:
Bridgethesetwooperationaldimensions(pre andpost incidentdetection);and
Addvalueforenterprisesthatlackautomatedcapabilitiesononesideortheother.
Inaddition,onthewhole,thepostincidentdetectionspaceislessstandardsbasedthanthe
preincidentdetectionspace. Advancesinsemanticandpolicyinteroperabilityregarding
March23,2011 16
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
17/29
whatconstitutesareportableincident,whatattributesbestsupportincidentmanagement,and
howtheseattributesaretobesourcedandsharedareneededtoadvancetechnicalstandards
andinteroperability.
BuildingBlock3:AuthenticationAuthentication
should
enable
trusted
online
decisions.
Nearly
every
decision
in
an
online
environmentinvolvesresourcesandactorsatadistance. Whenneededforadecision,
authenticationprovidesappropriateassurancethattheparticipantsareauthenticorgenuine,
anditshoulddosoinawaythatenhancesindividualprivacy. Inahealthyecosystem,
authenticationcouldextendbeyondpersonstoincludecyberdevices(e.g.,computers;
software,orinformation).
Authenticationiscriticaltocyberdefensebecausecommunicationsandcontentattributionare
essentialfactorsinsecuritydecisions. Authenticationisalsofoundationaltomanycapabilities
beyondcyberdefense.15
Inahealthy
cyber
ecosystem,
sending
and
receiving
parties
could
be
known
and
accountable
fortheiractions,butprotectanonymitywhereitmaybeneededtopreservethepurposeofthe
exchange. Consumersofsharedcyberawarenesscouldjudgethetrustworthinessofproviders
andtheircontributions,andproviderscouldconfirmthatrequestersareauthorizedaccessto
suchinformation. Authenticationmechanismscouldbestrongenoughtoprotectagainst
identitytheftandspoofing,whileatthesametimeremainaffordable,easytouseand
administer,scalable,andinteroperable. Theycouldalsobedesignedtoenhanceindividual
privacybyallowingvoluntary,optinregimes.
Commonauthenticationtechnologiesrelyon(1)somethingyouknow(e.g.,passwords),(2)
somethingyouhave(e.g.,digitalcredential),or(3)somethingyouare(e.g.,biometrics). Each
ofthese
technologies
has
characteristics
that
impact
security
strength,
affordability,
ease
of
use
andadministration,scalability,andinteroperability. Significantconsiderationsincludeeaseof
integrationintoemerginganddeployeddevicesandsoftwareapplicationsandeaseof
exchangeorfederationacrossnetworksandorganizations.
Unfortunately,intodaysmarket,systemdevelopersandownersfindfewifanytechnologies
thatdeliveronallfiveoperationalobjectives:security,affordability,easeofuseand
administration,scalability,andinteroperability. Theusualapproachistodivideupenterprises
andusepopulationstocontrolandvarytheobjectivethatgetsoptimized. Thiscreatesa
complexlandscapeofmultipleauthenticationtechnologieswithlimitedinteroperability,
vulnerablesecurityseams,andbarrierstobusinessororganizationalchange.
Ahealthy
cyber
ecosystem
could
have
standards
based
authentication
technologies
that
deliver
morecomprehensivelyacrossallfiveoperationalobjectives. Tosupportneartermdecisions,
consumerguidesthatratetechnologiesacrossallfiveobjectivesandassistsystemdevelopers
andownersinmakingphasedimprovementsandselectionscouldbeavailable. Forautomated
15. Foradditionaldetail,seethe NationalStrategyforTrustedIdentitiesinCyberspace,availableat
http://www.dhs.gov/xlibrary/assets/ns_tic.pdf
March23,2011 17
http://www.dhs.gov/xlibrary/assets/ns_tic.pdfhttp://www.dhs.gov/xlibrary/assets/ns_tic.pdf -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
18/29
cyberdefense,ahealthycyberecosystemcouldhavestrongstandardsbaseddevice
authentication,includingsmallandusuallywirelessdevicescomposingmassivelyscalablegrids.
Finally,ahealthyecosystemcouldhavebroadwaystoexpressandmanagetrustthatcombine
trustattributesaboutpeople,transactions,technology,andinformationintonewdecision
frameworksandmetrics. Suchframeworkscouldrecognizethattrustisnotabinaryorstatic
state,but
is
fluid
and
conditioned
upon
evolving
operational
and
environmental
factors.
KeyConceptsFocus,Convergence,andMaturityTheprevailingconstructforcybersecurityisillustratedinFigure8. Cybersecurityprocessesare
acombinationoflocalandglobalactivities.The
distribution of activities between local and
global may differ from process to process,
activitytoactivity,participanttoparticipant,or
event to event. The range of localtoglobalextendsfromthecircuitrywithinasinglecyber
device (e.g., a mobile phone, personal
computer, medical device, or electric grid
component) to distributed software
applications, data centers, networks, and
clouds. To successfully defend against active
andintelligentadversariesinsuchcomplexand
uncertain networked environments, current
thinking suggests the need for a new view of
command
and
control,
one
that
emphasizes
agility,focus,andconvergence:
Figure8. PrevailingCybersecurityConstruct
Inbrief,agilityisthecriticalcapabilitythatorganizationsneedtomeetthe
challengesofcomplexityanduncertainty;focusprovidesthecontextanddefines
thepurposesoftheendeavor;convergenceisthegoalseekingprocessthatguides
actionsandeffects.....Focusasareplacementforcommandspeaksdirectlyto
whatcommandismeanttoaccomplishwhilebeingagnosticwithrespecttothe
existenceofsomeoneinchargeorparticularlinesofauthority.Similarly,
convergencespeaksdirectlytowhatcontrol(theverb)ismeanttoachievewithout
assertingthatcontrolasaverbispossibleordesirable.16
Assuggested
earlier,
this
paper
focuses
primarily
on
how
networked
devices
can
become
actors
intheirownandthenetworksdefense.Toillustratearangeofcapabilitiesthatsuchdevices
16Agility,Focus,andConvergence:TheFutureofCommandandControl,DavidS.Alberts(OASDNII),The
InternationalC2Journal,Vol1,No1,2007,http://www.dodccrp.org/files/IC2J_v1n1_01_Alberts.pdf
March23,2011 18
http://www.dodccrp.org/files/IC2J_v1n1_01_Alberts.pdfhttp://www.dodccrp.org/files/IC2J_v1n1_01_Alberts.pdfhttp://www.dodccrp.org/files/IC2J_v1n1_01_Alberts.pdf -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
19/29
willbegintoembody,wepresentafivelevelmaturitymodelinFigure9.17
Themodelconsiders
FocusandConvergence(F&C)intermsofincreasingagility,thatis,effectivenessindealingwith
changeovertime. Aswithothermaturitymodels,Level5representsthehighestleveloffocus
andconvergence,whileLevel1representsthelowest. Thefivelevelmodelisnotanormative
scale. Thatis,Level5isnotalwaysbetterthanLevel3. Communitiesmayopttooperateat
lowerlevels
for
reasons
of
cost,
efficiency,
or
other
reasons.
Describing
the
ecosystem
in
terms
ofmultiplelevelshelpsillustrateanddemonstrateasystemshightolerancefordiversity,as
differentcommunitieswillinevitablyhavedifferentneedsandbeindifferentstagesof
evolutionatanygivenpointintime. Forexample,thereareanumberofoutdatedsystem
componentswithinthenationscriticalinfrastructurethatarenotabletointerfacewith
modernsystemsbutwillremainanimportantpartoftheecosysteminthenearterm. The
abilitytoleapfrogfromthislegacytechnologytoamoderncyberinfrastructureissomething
thatshouldbeexplored.
Figure9:FocusandConvergenceMaturityModelforNetworkedEnvironments
F&C
Maturity
Levels
Level5 EdgeF&C Characterizedbyarobustlynetworkedcollectionofdevices
havingwidespreadandeasyaccesstoinformation,sharing
informationextensively,interactinginarichandcontinuous
fashion,andhavingthebroadestpossibledistributionof
decisionrights. TheobjectiveofEdgeF&Cistoenablethe
communitytoselfsynchronizeinanagileandadaptable
manner.
Level4 Collaborative
F&C
Characterizedbymultipledevicesworkingtogethertowarda
commonpurpose
and
under
asingle,
shared
plan.
Involves
aconsiderabledelegationofdecisionrightstothecommunity.
Aimstodevelopsynergiesbynegotiatingandestablishing
sharedintentaswellasasharedsecuritypolicy,establishing
orreconfiguringroles,couplingactions,andbyengendering
arichsharingofresourcesandawareness.
Level3 Coordinated
F&C
Characterizedbymultipledevicesrelatedbymutualsupport
forintent,expressedaslinksbetweenandamongsecurity
policiesandactionsthatreinforceandenhanceeffectsalong
withsomepoolingofresourcesforspecifiedactivities.
Level2 Deconflicted
F&C
Characterizedbyapartitioningoftheproblemspaceamong
devicestoavoidadversecrosseffects. Establishmentand
maintenanceofthepartitionsrequireslimitedinformation
17AdaptedfromtheNorthAtlanticTreatyOrganization(NATO)NetworkEnabledCapability(NEC)C2Maturity
Model,February2010,www.dodccrp.org
March23,2011 19
http://www.dodccrp.org/http://www.dodccrp.org/ -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
20/29
F&CMaturityLevels
sharingandinteractionamongdevices.
Level1 Isolated F&C Characterizedbyindividualdevicesexercisingfocusand
convergence
only
over
their
own
resources.
Hence,
there
is
nosharedobjective;neitheristhereinformationdistribution
noranyotherinteractionamongdevices.
Toconsiderhowsuchamodelmightbeapplied,aframeworkfordefiningandthinkingabout
thespaceofallpossibleF&Capproachesishelpful.ThreevariablesdefinetheessenceofF&C,
andthustheF&CApproachSpaceisillustratedinFigure10below.
Figure10: FocusandConvergence(F&C)ApproachSpace18
AsFigure10illustrates,anyfocusandconvergenceapproachmaybeviewedasafunctionof
threeinterrelateddimensions:
1. Theallocationofdecisionrightstothecommunity;
18NATONECC2MaturityModel
March23,2011 20
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
21/29
2. Thepatternsofinteractionthattakeplacebetweenandamongdevices;and
3. Thedistributionofinformationamongdevices.
Figure11summarizeshowthesethreedimensionsvaryamongtheF&Clevels.
Figure
11:
Dimensions
of
Focus
and
Convergence
19
Increasedagility(movingfromthebottomlefttotoprightwithintheF&Capproachspacein
Figure10)canbeviewedas:
Theabilityofdevicestoadopteverwiderrangesofapproaches;
Theabilityofdevicestorecognizeandadoptanappropriateapproach,whichis
determinedbythenatureofthesituationandhowitislikelytoevolve;and
Theabilityofdevicestochangeapproachesifnecessaryinatimelymanner.
ConsideringF&Cwithinanapproachspacealsosupportsagrowingrecognitionthattheremay
benosinglebestsystemdesignorconfiguration,nobestprocessforallsituationsand
circumstances. Ratherthanoptimization,theuncertaintyinthemissionspacecombinedwith
thediverseandinteractingeffectsofcountermeasuresandthecomplexityinherentin
collective
action
lead
to
a
need
for
agility.
This
might
mean
that
devices
routinely
operate
at
lowerlevelsofF&CforeconomybuthavetheabilitytoswitchtohigherlevelsofF&Cfor
selectedsituations. ItmightalsomeanthatroutineF&Clevelsvarybydevicesrolesor
locationswithintheecosystem.
19NATONECC2MaturityModel
March23,2011 21
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
22/29
Increasedagilityamongcyberdevicesisnecessarilydependentuponandexistsinsynchrony
withtheagilityoftheorganizationsthatownandoperatethemandthebusinessormission
processesthatconsumetheirservices. Thethreebuildingblocksdescribedearlier
automation,authenticationandinteroperabilityincreaseagilityandenablecollectivecyber
defense. Decisionrightsoriginatewithpersons,organizationsandbusinessprocesses;and
interoperabilityensures
that
any
delegation
to
cyber
devices
is
communicated
in
away
that
bothhumansandmachinescanunderstand. Automationprovidestheabilitytoactupon
delegateddecisionrightsatmachinespeed,andauthenticationallowsthedatanecessaryfora
givendecisiontobetrusted.
AttributesofaHealthyCyberEcosystemLookingattheecosystemthroughbuildingblocksandmaturitylevelshelpsenvisionhowa
healthyecosystemmightworkandhowitmightselfdefendthroughautomatedcollective
action. Thissectionbeginstoexaminethedesiredendstate. Whatmightbedifferentina
healthyecosystem? Whatmightbethevalueadded?
Inahealthy
cyber
ecosystem,
we
might
find:
Informationconnectedacrossspaceandtime. Informationdiscoveredorcreatedinonepartoftheecosystemconveysrapidlytoothersratherthanbeingsiloed,e.g.,
informationispreservedinwaysthathelpdiscoverpatternsovertimeandcanbe
configuredtoprotectPersonallyIdentifiableInformation(PII)andothersensitive
data.
Rapidandessentiallyuniversallearning. Machineslearnfromeachotherand
peoplelearnfrommachines.
Greaterattribution. Machinesandhumansworktogethertoimproveattribution
whereneeded
while
enhancing
privacy.
Newanalytics. Datafrommultiple,otherwisediscretesources(e.g.,sensors,red
teams,troubletickets)arefused,aggregatedorotherwisetransformedtocreate
newintelligence.
Greaternetworkreach. Securitycontentisseparatedfromdeliverymechanisms
andmanagedasanecosystemasset. EarlierresearchinTailoredTrustworthy
Spaces20
resultsinpowerfulnewwaystoworkacrossmultipletrustorclassification
levels.
Newdefensivetactics. EarlierresearchinMovingTargetDefense21,combinedwith
sharedsecurity
policies
and
new
intelligence,
enables
new
courses
of
action
such
as
dynamicnetworkingoruncertainty. Inotherwords,attacksonlyworkonce(i.e.one
victimoronedevice)ifatall.
20FederalCybersecurityGamechangeResearchandDevelopment(R&D)Themes,
http://cybersecurity.nitrd.gov/page/federalcybersecurity121
FederalCybersecurityGamechangeResearchandDevelopment(R&D)Themes
March23,2011 22
http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1http://cybersecurity.nitrd.gov/page/federal-cybersecurity-1 -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
23/29
LifecycleFeedback. Richfeedbackloopsfromoperationsintothefrontendofsystemandtechnologylifecyclesreducecosts,shortenadoptioncycles,and
improveecosystemhealth.
Anotherwaytoexaminethedesiredendstateisthroughthequalitiesorattributesthebuilding
blocksmighthelpcreate. Ahealthycyberecosystemmightbe:
Inclusive. Encompassingcapabilitiesembeddedinaneverwideningwebthat
extendsfarbeyondtraditionalnotionsofthepublicInternetorofinformation
technology(IT)andservices. AhealthycyberecosystemwouldincludetheSmart
GridwithitsenergycontrolledhomenetworksandIPaddressableappliances,the
nextgenerationoftheNationalAirspaceSystemwhichtakesadvantageofsatellite
capabilities,andthelargenumberoflegacydevicesandcontrolsystemswhichmust
interoperatewiththenewesttechnologies.
Effective. Abletodefendagainstalltypesofcyberthreats,includingsupplychainattacks;remoteornetworkbasedattacks,includingthoselaunchedbysophisticated
andwell
resourced
attackers
using
persistent
methods;
proximate
or
physical
attacksoradverseevents;andinsiderordisgruntledemployeeattacks.
Smart. Abletosensetheenvironment,recognizepatterns,andshareinformationinnearrealtimeacrosssectorsandcommunitiesatboththehumanandmachine
levelsinordertoassureauthorizedtransactions,preventthemostserioussecurity
breachesandincreaseresponseeffectivenesswhenbreachesorotheradverse
eventsdooccur.
Barrierfree. Havingsecuritychoicesinstantiatedinconfigurabledigitalpoliciesratherthanbeinghardwiredinnetworkorsystemdesignsorimposedby
technologylimitationsorshortfalls. Designerswoulddesignwiththeassumption
thateverything
will
be
shared
with
everyone,
and
the
only
barriers
to
collaboration
wouldbethoseimposedbypolicy.
Optimized. Havingcapabilitiesanddecisionmakingallocatedamonghumansandmachinessoastobestleveragethestrengthsandcycletimesofeach,consistent
withmaintainingagility. Further,havingcyberdefenseorganizedsothatmachines
defendagainstmachinesandpeopledefendagainstpeople.
Understandable. Havingsecurityexpressedinuserorstakeholdertermsratherthaninspecializedsecurityjargonandrecognizingthateveryoneisacybersecurity
stakeholder. Forexample,stakeholdersmightwantglobalvisibilityintothecyber
environment,theabilitytoquerytheenvironmentandgetbackahighfidelity
answer,andtheabilitytorationalizesecuritycosts.
Assured. Abletosustainconsumerconfidenceovertime. Thismightmeanmovingbeyondtraditionalsecuritynotionsofpreventingunwantedtransactionsto
ensuringtherighttransactionsoccur,whichcouldcontributemorebroadlytoa
senseofconsumersafetyandtrustinsectoroperationsfortransportation,energy,
health,etc.
March23,2011 23
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
24/29
Usable. Havingassembly,configuration,operational,andperformancepropertiesthatarestraightforwardandwellbehaving,ratherthanoverwhelmingly
complicated,brittle,anderrorprone.
AttributesofHealthyParticipantsJust
as
healthy
individuals
are
essential
to
healthy
communities,
healthy
participants
are
essentialtoahealthycyberecosystem. Cyberecosystemparticipantsincludepersons(both
individualsandentities),devices,andprocesses.
Personswhoareunhealthycyberparticipantsmightlackawarenessorskills,ortheymaynot
bewhotheyclaim. Personswhoarehealthycyberparticipantsmighthavecontinuingaccess
toarangeofeducation,trainingandawarenessopportunities,includingbutnotlimitedto
exercises,simulations,andfullyimmersivelearningenvironments. Further,theymighthave
validatedskillsthathavebeencodifiedfortheiroccupationsorpositionsandstronglyproofed
cyberidentities.
Unhealthycyber
devices
(computers,
software,
and
communications
technologies)
lack
awareness,functionality,orcapacityorfeaturepurposefuldeceptions. Healthycyberdevices
are:
SelfAware. Havingtheabilitytocollectinformationaboutsecurityproperties,draw
conclusions,andreportoractupontheconclusions.
UserAware. Havingtheabilitytocollectorreceiveandprocessinformationabout
supportedusers,missions,orbusinessprocessesorassignedroleinalargercyber
infrastructureplusabilitytodrawconclusions,reportoractupontheconclusions,and
implementpoliciesthatassureuserprivacy.
Environmentally
Aware.
Having
the
ability
to
collect
or
receive
and
process
information
aboutthesecurityofsurroundingcyberdevicesofinterestorthecyberenvironment,
drawconclusions,andreportoractupontheconclusions.
Smart. Havingtheabilitytoretrospectivelyexamineeventsandassociatedresponses,
correlatehistoricalpatternswithcurrentstatusdata,andeitherselectfromarangeof
ACOAsorformulateanewACOA. ExamplesofACOAsthatmaybedeployedinnearreal
timeincludefilteringorreroutingtraffic,cordoningoffportionsofthenetworkor
applications,changingaccesslevels,reconfiguringassets,andquarantiningusers.
AutonomouslyReacting. HavingtheabilitytoinitiateanACOA.
Dynamic.
Having
the
ability
to
alter
appearance
or
persona.
Ideally,
alterations
are
enactedoncycletimesthatareshorterthantargetacquisitionandattackexecution
times. Forexample,todayssystemstendtorelyonselectedsystemparametersfor
security,suchasdurationoftimeoutsorcorruptionthresholds. Typically,these
parametersarechoseninadvanceandfixedforthelifetimeofthesystem. Future
devicescouldmaketheseparametersvariable. Additionallyoralternatively,
virtualizationcouldbeemployedtoprojectmultipledecoysystemstoconfuseattackers
andtofrequentlyrollbackactualsystemstoaknowngoodstateinordertoobviate
March23,2011 24
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
25/29
Collaborative.Havingtheabilitytoworkinpartnershipwithotherparticipantstocollectandassesssecurityinformation,andselect,formulate,oralteranACOAintendedto
counteranattackorsustainpriorityservices.
Heterogeneous. Havingtheabilitytocollaboratewithotherparticipantsusinga
commoncommunicationschanneldespitedifferencesinaffiliation,securitypoliciesor
servicelevelagreements.
Diversifying. Havingtheabilitytosensetheappearanceorpersonaofsurrounding
devicesandtomakeoneselfdifferentfromotherdevices.
Resilient. Forcyberdefensepurposes,havingsufficientcapacitytosimultaneously
collectorreceiveandassesssecurityinformation,executeanyACOA,makealterations
totheACOAasneeded,andsustainagreeduponservicelevels.
Trustworthy.
Performingas
expected
and
only
as
expected
despite
environmental
disruption,userandoperatorerrors,andattacksbyhostileparties. Threeapproaches
forachievingtrustworthinessaresoftwareassurance22
,hardwareenabledtrust(e.g.,
TrustedComputingGroupbasedtechnologies,associatedsystemarchitecturessuchas
NetworkAdmissionControlorTrustedNetworkConnectionandtrustedvirtualization)
anddataprovenance(e.g.,metadatatagsandlabelscontainingidentity,origin,and
transformationhistory).
Unhealthyinformationexchangesshouldbeexpensiveordifficulttoadapt. Ortheymightbe
easilycompromised,disrupted,orcorrupted. Healthyinformationexchangesare:
Secure. Secureexchangesarethoseinwhichtheidentitiesofallparticipantsinan
exchangeare
authenticated,
appropriate
digital
identities
and
minimum
attribute
data
areasserted,andthevulnerabilityofanycommunicationsintheexchangeto
unauthorizedinterception,diversion,access,use,modificationordisclosureis
minimized23
.
EnvironmentallySustainable. Environmentallysustainableexchangesarestructuredforthemostrationaluseofcyberresources(leasteffort),arebandwidthfriendly,easy
toadminister,andeasytoachieve(forexample,arebroadlyincorporatedinto
commercialsolutions).
Rapidlycustomizable. Rapidlycustomizableexchangesareenabledbyuser
configurableprofiles,
parameters
and
rules
and
by
open
application
programming
interfaces(APIs).
22DHSSoftwareAssuranceProgram,https://buildsecurityin.uscert.gov/swa/
23NationalStrategyforTrustedIdentitiesinCyberspace(NSTIC)
March23,2011 25
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
26/29
Lightweightandlooselycoupled. Lightweightandlooselycoupledexchangesarethose
thatareachievablewithexistinginfrastructureandwithminorupgradestoexisting
toolsandservices,ratherthanthroughapproachesthatrequireextensiveredesign.
Ecosystemgeneratedvalue,desiredecosystemandparticipantattributes,andecosystem
buildingblocksallworktogether. Forexample,anecosystemwiththeabilitytomake
automatedadjustmentstoconfigurationinresponsetotrustchoiceswouldofferincreasedreliabilityandresilienceforsupportedbusiness,socialandcivicprocesseswhileimprovingthe
privacyandcivillibertiesofusers. Anecosystemwithsuchabilitieswouldalsobeself
defending. Aselfdefendingecosystemwithhumaninvolvementcouldforceattackerstotake
morerisksandbemoreexposed. Theseactivities,combinedwithgreaterattribution,could
enablelawenforcementorotherdeterrencetobemoreeffective. Ahealthyecosystem,in
otherwords,mutuallyreinforcessecurity,usability,reliability,andtheprotectionofprivacyand
civilliberties.
IncentivesandAdoptionWeknowtodaythatusersarenotroutinelycomplyingwithcyberbestpracticesand
configurationguidelines. Adoptionofsecuritystandardsisdecidedlyslow,andearlyindications
arethatcybersecuritycontinuousmonitoringwillfaceimpedimentstoadoption.Thisindicates
animbalanceofincentives,wherebydefendersarenotincented,butattackersare.
Apersistentchallengeintodaysecosystemistheinabilitytoestablishlevelofharmasaresult
ofacyberincidentbeitlossofintellectualproperty,privacy,consumerconfidence,business
opportunity,oressentialservices. Suchinabilitymaybedueinparttoalackofagreementon
howtoestablishextentinahighlyinterconnectedenvironmentaswellashowtomeasure,
validate,andcommunicateeffects. Itmayalsobedueinparttoalackoftrust,whichimpedes
information
sharing
and
collaboration.
Earlier,thispaperproposedtypesofactivitiesthatmightbeassociatedwithanappropriately
automatedanddistributedCyberCDCthatperformsthreatandincidentwatch,data
dissemination,threatanalysis,interventionanalysisandrecommendations,andcoordinationof
preventiveactions. Inadditiontopromotingcyberhealthamongcommunities,sucha
capabilitycouldprovidevendorsandsystemownerswiththeinformationandinsightneeded
todiagnoseproblemsandevaluateoptionsforneworimprovedcapabilities. Onewaytoget
startedisthroughincreasedsharingofanonymizedcyberincidentandmitigationdata.
Aggregationandanalysisofsuchdatamightleadtoanimprovedabilitytoshowhow
investmentsincyberhealthcanreduceoperatingcosts,improvebusinessagility,oravoid
extensive
mitigation
costs
(e.g.,
the
cost
of
data
leakage
protection
software
compared
with
thecostofmitigatinglargescaleidentityinformationdisclosure). Suchinsightswouldlikely
strengthenconsumerdemandforhealthyproductsandservicesandreducerisksto
participants.
March23,2011 26
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
27/29
WayAheadWhilethispaperhaspresentedacomprehensiveviewofahealthycyberecosystem,thereare
manyopenquestions.Onthemoretechnicalside,theyinclude: Cantheongoingworkon
securitycontentautomationberepurposedforselfdefense? Willcommercialproducts
conformto
open
standards?
To
what
extent
can
focus,
convergence,
and
agility
be
decentralizedtocybersystemsinanautonomic(i.e.,selfmanaging)fashion? Canautonomic
defensesscaletoencompasslargescale,distributedandmultidomainenvironments(e.g.,
mobiletelephony,IPbasednetworks,andcomputingplatforms),andifso,whatelementsof
trustwouldberequired?
Moreover,thepathtosuccessfulrealizationisunclear.Whatarethebusinessdriversthatwill
incentthenecessaryinvestments?Whataretheappropriaterolesandresponsibilitiesofthe
publicandprivatesectorindeliveringthehealthyecosystem?Whichelementsshouldbe
prioritizedforearlyrealization?
Asahealthycyberecosystememerges,governancequestionsbecomesalient.Willsystem
ownerscede
decision
making
to
the
community?
Who
sets
policy
for
inter
enterprise
informationexchangeanddeploymentofcountermeasures? Whatliabilityregimesapplyfor
collateralconsequencesofcountermeasuredeployment(orthefailuretodeployknown
countermeasures)? Whatlegalauthoritiesshouldlocalandnationalgovernments,aswellas
internationalentities,havetocompelactionbydevicesownedbyorservingprivatepartiesin
ordertosecurethelargercybercommons?
Clearlythefieldisripeforplanningandaction.Theauthorswelcomefeedbackonthispaper,
andcommentonallaspectsoftheproblem. Wearecontinuingourownanalysis,andweplan
topublishourfindings,togetherwithyourfeedback([email protected]),inasequel
paperandaproposedactionplanthat,ataminimum,identifieskeygamechanginginitiatives
foreach
of
the
three
building
blocks.
Potential
game
changing
initiatives
might
include:
Piloting,demonstration,andrapidpromulgationofcommunityandintercommunity
ACOAsforcollectivedefense
Piloting,demonstration,andrapidpromulgationofsecuritycontentautomation
standardsforfunctionsdescribedinthesecondandthirdwavesofFigure5
BuildinguponthedraftNSTICtoachievestandardsbaseddeviceauthentication,
includingsmallandoftenwirelessdevicescomposingmassivelyscalablegrids.
March23,2011 27
mailto:[email protected]:[email protected] -
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
28/29
GlossaryGeneralTerms
Cyberdevices
is
ageneral
term
used
to
refer
to
computers;
software
systems,
applications
orservices;electroniccommunicationssystems,networks,orservices;andthe
informationcontainedtherein.
Cyberparticipantsreferstopeople,processes,anddevices.
Informationstructuringreferstomethodsandstandardsthatorganizedataintocomponentsandrelationships. AgeneralexampleofstructuredinformationisaUnited
Statesaddress. Itscomponentsarestreetnumber,streetname,city,state,andzipcode.
Stateshavefixedtwodigitcodenamesandzipcodeshaveaspecifiedfive orninedigit
format. AnexampleofstructuredcybersecurityinformationisCommonPlatform
Enumeration
(CPE),
a
naming
scheme
for
some
elements
of
cyber
systems.
The
top
level
componentsofaCPEareplatformname,hardwareparts,operatingsystemparts,and
applicationparts. Structuredcybersecurityinformationisnecessarytoautomate
activitiesthatidentifyandmanagecyberdevicesandtheircomponents,describeand
managesecurityconfigurationsandvulnerabilities,identifyandtrackattackersandattack
tools(e.g.,maliciouscodeorbotnets),detectanddescribeeventsandattacks,express
andexecutecybersecuritypoliciesorcoursesofaction,describeandprovidenoticeof
cyberposture,andsoon.
Cyberinformationexchangereferstosharingrelationshipsandprotocolsthatallowcyber
participantstopublishandsubscribe,signal,orrequestandrespondwithcybersecurity
information
using
consistent
semantics.
StandardsAcronyms
ARF AssessmentResultsFormat
CAIF CommonAnnouncementInterchangeFormat
CAPEC CommonAttackPatternEnumerationandClassification
CCE CommonConfigurationEnumeration
CEE CommonEventExpression
CPE CommonPlatformEnumeration
CVE CommonVulnerabilitiesandExposures
CVSS CommonVulnerabilityScoringSystem
CWE CommonWeaknessEnumeration
IDMEF
IntrusionDetection
Message
Exchange
Format
IODEF IncidentObjectDescriptionandExchangeFormat
MAEC MalwareAttributeEnumerationandCharacterization
NIEM NationalInformationExchangeModel
OVAL OpenVulnerabilityandAssessmentLanguage
SecDEF SecurityDescriptionandExchangeFormat
XCCDF ExtensibleConfigurationChecklistDescriptionFormat
March23,2011 28
-
7/28/2019 DHS nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
29/29